A critical security fix has been merged into Movement's Aptos core repository, addressing a batch verification vulnerability in confidential asset transfer proofs. The issue involved a collision in gamma index assignment within the multi-scalar multiplication (MSM) batching optimization.
The Vulnerability
Confidential transfer proofs contain multiple algebraic equations that validators must verify. To optimize performance, the batch verifier combines these equations by multiplying each by a distinct random weight called a "gamma." Each gamma is derived from a unique index pair `(i, j)` combined with a fresh random scalar. If two different proof relations accidentally received the same gamma, an attacker could craft values where errors in one relation canceled out errors in the other, bypassing the batch check entirely.
The bug occurred in the `msm_transfer_gammas` function with two or more auditors. The index assignment for auditor ciphertext checks (`g7s`) used indices `7+k` for auditor `k`, meaning auditor 1's check received index `8`. Simultaneously, the sender's transfer amount proof (`g8s`) was hardcoded to use index `8`, creating a collision whenever multiple auditors were involved.
The Fix
The patch modifies `g8s` to use index `7 + auditors_count` instead of the hardcoded `8`, ensuring it always appears after the last auditor check. This is a verifier-only change—gammas are computed on-chain after proof submission, so proof generation and client SDKs remain unaffected.
Testing and Impact
The fix includes 78 Move unit tests and 143 Rust end-to-end tests, including a new regression test that confirms the collision existed and has been eliminated. The whitepaper has been updated with a new "Batch Soundness" subsection documenting the corrected gamma index layout. The vulnerability only manifested with 2+ auditors; systems with 0 or 1 auditors were unaffected.